Hackers Hijack BlackWallet DNS Server, Steal $400,000

Crypto-hungry hackers have stolen $400,000 via a DNS attack and a replica BlackWallet site in the latest blockchain security compromise

Although cryptocurrency valuations may have walked back from their late-2017 all-time highs, hackers are still energetically pursuing crypto investors, as well as deploying a wide range of malware.

In a particularly full-throttle attack, hackers have recently stolen $400,000 (£290,000) of the virtual currency Stellar Lumen (XLM) by compromising the server that hosts BlackWallet, a web-based wallet application.

The attack involved accessing the admin’s hosting account, then changing the DNS records to point to a replica BlackWallet site. When users logged into the fake site, their wallet balances were transferred to the hackers - if the balance was above 20XLM.

A poster on Reddit claiming to be the admin said: “BlackWallet was compromised today, after someone accessed my hosting provider account. I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer. Please note however that BlackWallet was only an account viewer and that no keys were stored on the server!”

“Many crypto currency platforms and exchanges are compromised without even being noticed or publicly disclosed. Many crypto currencies and blockchain startups don’t have enough skills and other resources to protect their infrastructure from sophisticated cyberattacks.

“Meanwhile, cybercriminals pay more and more attention to the emerging world of blockchain fintech that can bring even more ROI to them than a routine credit card or PayPal scam. In the near future we will likely see a sustainable growth of similar incidents capable to undermine the overall trust to cryptocurrencies. With GDPR enforcement in May next year, these breaches will result in financial penalties that could ruin the startups.”

Good news, the internet got a tiny bit safer when Let's Encrypt plugged a significant flaw in TLS-SNI validation that potentially allows attackers to apply for HTTPS certs for sites they do not own, enhancing the authenticity of a typosquatted or cloned site. The issue centred around the fact that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances, because many hosting providers do not validate domain ownership. If and when providers also host multiple users on the same IP address it was possible to gain a Let's Encrypt HTTPS certificate for another user's website via TLS-SNI-01.

High-Tech Bridge’s own free SSL security testing service tests for known vulnerabilities in SSL/TLS implementation (e.g. Heartbleed) and in encryption protocols (e.g. POODLE), as well as checking if a SSL/TLS configuration is compliant with PCI DSS requirements, HIPAA guidance and NIST guidelines. It was launched at Black Hat Europe 2015, and more than 600,000 users have already tested their systems and services using it.

Let's Encrypt is a SSL/TLS certificate authority run by non-profit Internet Security Research Group (ISRG), and no longer accepts TLS-SNI validation. Another brick in the wall of online security for all…

Mark Mayne Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.